A CONFLUENCE of cybersecurity buzz-generators — entrepreneurial, serendipitous and opportunistic — conspired to thrust the state Revenue Department’s failure to protect our most sensitive financial information back into the spotlight this week.
The entrepreneurial reminder came when Experian, the credit bureau that the state gave an emergency $12 million contract last fall to provide credit monitoring for a year, sent out another round of come-ons trying to convince South Carolinians to buy its service. The notices were emailed three days before we could start signing up for the monitoring that we already paid for through our state taxes, provided by a cheaper contract that the state negotiated with CSIdentity Corp. A contract Experian had refused even to bid on. At least this month’s sales pitch didn’t imply that the state wasn’t providing credit monitoring, as the one in September had.
The serendipitous reminders came from two Republican constitutional officers observing National Cyber Security Awareness Month. And how did we miss that irony last year, when Gov. Nikki Haley announced, in the middle of it, that cyberthieves had lifted the tax returns (think Social Security and bank account numbers) of 6.4 million individuals and businesses from her Revenue Department?
Attorney General Alan Wilson invited law enforcement to a training session on identity-theft investigations, and in the week’s most bizarre move, Superintendent Mick Zais’ Education Department held an Employee Document Shred Day. That’s certainly useful for protecting important paper documents, which lots of us don’t do so well, but I’m not sure what it has to do with cybersecurity. The Revenue Department could have shredded every last piece of paper it possessed, and cyberthieves still would have our data — in a far more dangerous form than paper.
The opportunistic reminder came from the state Democratic Party, which held a week-long series of “silent vigils” to call attention to the one-yearish anniversary of what party officials call Gov. Haley’s failure to protect our financial data, followed by a 16-day “cover up” before she announced the breach. (The attack occurred in September, the federal government informed the governor Oct. 10, and she announced it on Oct. 26.)
The questions of whether the governor was responsible for the fiasco and whether she was honest in its immediate aftermath are legitimate topics for debate in the gubernatorial campaign. And I have no doubt that they will be debated.
What I’m more pessimistic about, a year on, is whether the larger issues will be addressed.
For all we heard about who’s to blame and how to sign up for credit protection (go to scidprotection.com or call 855-880-2743), what we didn’t hear a thing about — from the governor or the Republicans in the Legislature or the Democrats in or out of the Legislature — was how we fix the systemic problems that ultimately invited the largest breach of state government data in the country to occur here in South Carolina.
Simply fixing the security procedures at the Revenue Department to make sure that no one else steals our financial data is necessary — and indications are that this has been done — but it’s not adequate. Neither is it adequate for every government agency in South Carolina to review and update its own cybersecurity policies — though that too is necessary, and incomplete.
What we need, what we have a right to expect, is a system that requires smarter security and that can recognize the absence of that long before our vulnerabilities turn into disasters.
Yet the Legislature failed this session to create such a system; in fact, even though the Senate passed a bill that moves in that direction, no one even put forward a plan that includes all of the elements we need. Instead, legislators essentially threw up their hands in despair because all this cybersecurity stuff feels so foreign, the language so daunting.
But the Legislature doesn’t have to design a cybersecurity plan. It has to come up with a governance plan. And the principles are straightforward.
Our state’s central information technology division has no authority to set standards, much less enforce them, so the Revenue Department was free to ignore its recommendations. As are all state agencies.
We got hacked because no one was taking computer security seriously enough. The people in charge of the Revenue Department didn’t know or apparently care much about it.
What we need is a central office that can set and enforce security standards across state government. It should report directly to the governor rather than a commission, because having one boss instead of multiple bosses leads to faster and surer responses to problems.
And the Legislature needs to start acting like a Legislature and provide oversight of state agencies — not just the Revenue Department, but the entire state government. That starts with knowing enough about how each agency operates to recognize its vulnerabilities, which our Legislature simply is not capable of today.
Ms. Scoppe can be reached at email@example.com.